Security is also about education

Today I was seeing a doctors office part of the geographical region of Västra Götaland, which is somewhat unimportant, except that I wan’t you to understand that the “local doctors office” is part of a bigger organisation. This organisation spends a lot of time securing their data and I have no issue with trusting them of taking care of my journal.

So, this morning when I was in a treatment room, the nurse had to go get a throat testing kit. I was left in the room, all alone, with a closed door for about four to five minutes. In the room there was a workstation, currently displaying my journal. Yes, it was unlocked! And it wasn’t only unlocked, in the workstation’s card reader, the security card used for authorization within the organisation was still left. Not knowing that much about how locked down their terminals are and how hard it would be to “skim” the card, but even so, I think that this shows how week security is. You can spend huge resources on software and hardware, but still have the lousiest security, if you don’t educate your employees in a secure use of the IT equipment.

Don’t just spend money on infrastructure. Spend money on education of your employees to. I’ve been at organisations where you even had to take a course + exam just to access the Internet. You might think that a programmer would gain this level of trust from the beginning. But do you know what? I was all fine with it. It shows me that they are serious about their business. You should to.